STIGQter STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 1 Release: 20 Benchmark Date: 24 Jan 2020: The system must require authentication before allowing modification of the boot devices or menus. Secure the GRUB Menu (Intel).

DISA Rule

SV-60873r4_rule

Vulnerability Number

V-48001

Group Title

SRG-OS-999999

Rule Version

SOL-11.1-080140

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

The root role is required.

This action applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this action applies.

Update GRUB to use a custom configuration file.

# pfedit /rpool/boot/grub/grub.cfg
Insert the line:
source $prefix/custom.cfg

Create a password hash.

# /usr/lib/grub2/bios/bin/grub-mkpasswd-pbkdf2
Enter password:
Reenter password:
Your PBKDF2 is .......
Copy the long password hash in its entirety.

# pfedit /rpool/boot/grub/custom.cfg
Insert the lines:
set superusers="[username]"
password_pbkdf2 [username] [password hash]

Restart the system.

Check Contents

This check applies to X86 systems only.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

# grep source /rpool/boot/grub/grub.cfg
source $prefix/custom.cfg

If the output does not contain "source $prefix/custom.cfg" on a line of its own, this is a finding.

# grep superusers /rpool/boot/grub/custom.cfg.
# grep password_pbkdf2 /rpool/boot/grub/custom.cfg

If no superuser name and password are defined, this is a finding.

Vulnerability Number

V-48001

Documentable

False

Rule Version

SOL-11.1-080140

Severity Override Guidance

This check applies to X86 systems only.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

# grep source /rpool/boot/grub/grub.cfg
source $prefix/custom.cfg

If the output does not contain "source $prefix/custom.cfg" on a line of its own, this is a finding.

# grep superusers /rpool/boot/grub/custom.cfg.
# grep password_pbkdf2 /rpool/boot/grub/custom.cfg

If no superuser name and password are defined, this is a finding.

Check Content Reference

M

Target Key

2108

Comments